Crack File Password With John
Many file formats support encryption with a password. John the Ripper can crack these passwords with dictionary attack.
This article teaches you to obtain Jumbo version and compile it. Finally, you'll test your environment by cracking a ZIP archive password. A sample password protected ZIP file is provided with this article.
What you practice here
In this tutorial, you'll practice
- Cracking file passwords with John dictionary attack
- Obtaining latest versions of penetration testing tools
- Compiling large C project from source code
Before you start, you should already know
- Linux command line
- Have Linux installed
- How to practice penetration testing safely, legally and ethically
You might want to crack passwords with Hashcat first, which is a bit easier.
Use of penetration testing techniques requires legal and ethical considerations. To safely use these tools, tactics and procedures, you might need to obtain contracts and permissions; and posses adequate technical skills. Check your local laws. To learn how to practice safely & legally, consider my penetration testing course.
Install prerequisites
Install the tools we need to work and the libraries required for John. These commands are for Debian 11-Bullseye, but you can find similar packages on other Linuxes, too.
$ sudo apt-get update
$ sudo apt-get -y install micro bash-completion git build-essential libssl-dev zlib1g zlib1g-dev zlib-gst libbz2-1.0 libbz2-dev atool zip wget
Installing software in Linux is indeed convenient. But what do all these packages do?
Package | Purpose |
---|---|
micro | Text editor |
bash-completion | Use tab to complete file names |
git | Clone (copy) Jumbo John source code |
build-essential | C compiler and related tools |
libssl-dev | John requirements |
zlib1g zlib1g-dev zlib1g-gst | For John ZIP support |
libbz2-1.0 libbz2-dev | For John 7zip support |
atool zip | Compression tools, 'aunpack foo.zip', 'unzip foo.zip' |
wget | Web downloader for command line |
Download & Compile John the Ripper, Jumbo version
Latest Jumbo version of John the Ripper supports many file formats. We'll compile John from source, as the version packaged with distributions doesn't seem to contain support for many formats. A paid version also seems to exist, but this one is free.
Download John the Ripper, Jumbo version. Git clone copies the whole project to you. To save download time, we copy just the latest versions of the files using --depth=1, but this is optional.
Installing software outside package management is done on case by case bases. Obviously, the maker of that software could execute any code on our system when we run it.
$ git clone --depth=1 https://github.com/openwall/john.git
Many Linux C and C++ programs are compiled with a variation of './configure && make'.
$ cd john/src/
$ ./configure
Configure will detect the environment and create a Makefile for 'make' command.
If you're missing any dependencies, you'll get a warning here. That's how I found out what packages to install beforehand with 'apt-get'. I read the error messages, then used 'apt-cache search libfoobar' to find the packages containing the missing libraries. We've already installed the dependencies we need here, but if you install some dependencies in the future, remember to run './configure' again.
Then the actual compilation. The correct make command was printed as the end of './configure' output, and I simply copied it here. Running these commands does not require new trust at this point, as we've already run a lot of code from this repository.
$ make -s clean && make -sj4
Compilation takes a couple of minutes minutes. Compilation requires a couple of gigabytes of memory. In my tests, it compiled in three minutes with 4 GB of RAM, but failed on a tiny 0.5 GB RAM virtual machine.
Once John is compiled, we can find the new executables and scripts in run/.
$ cd ../run/
$ ls -1
1password2john.py
7z2john.pl
DPAPImk2john.py
adxcsouf2john.py
aem2john.py
...
$ cd
Let's run it. (I removed some lines from output here)
$ $HOME/john/run/john
John the Ripper 1.9.0-jumbo-1+bleeding-3423642 2023-01-19 00:38:00 +0100 OMP [linux-gnu 64-bit x86_64 AVX2 AC]
Copyright (c) 1996-2022 by Solar Designer and others
Usage: john [OPTIONS] [PASSWORD-FILES]
Did your john spit out it's version number? Well done, you've got it downloaded, compiled and running.
Password Protected ZIP
Here is a sample ZIP file to test your setup. It's password protected. Download tero.zip
$ wget https://TeroKarvinen.com/2023/crack-file-password-with-john/tero.zip
We can try to open it - but in vain.
$ unzip tero.zip
Archive: tero.zip
creating: secretFiles/
[tero.zip] secretFiles/SECRET.md password:
password incorrect--reenter:
password incorrect--reenter:
skipping: secretFiles/SECRET.md incorrect password
Usually, empty directories are extracted, but the file contents are encrypted. So all we get without password are empty directories. In this case, an empty directory "secretFiles/" is created, but contents of SECRET.md remain a mystery.
Crack ZIP Password
Cracking the ZIP password is a two step process. First, extract the hash into a new file called tero.zip.hash.
$ $HOME/john/run/zip2john tero.zip >tero.zip.hash
It prints a couple of lines about the zipfile. You can optionally have a look at the extracted hash with 'cat tero.zip.hash'.
Then, let John perform a dictionary attack against the hash.
$ $HOME/john/run/john tero.zip.hash
There is a lot of output. For a slower hash and more complicated password, it would also take longer.
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
0g 0:00:00:00 DONE 1/3 (2023-02-09 11:09) 0g/s 2112Kp/s 2112Kc/s 2112KC/s Mdzip1900..Msecret1900
Proceeding with wordlist:/home/tero/john/run/password.lst
Enabling duplicate candidate password suppressor
butterfly (tero.zip/secretFiles/SECRET.md)
1g 0:00:00:00 DONE 2/3 (2023-02-09 11:09) 10.00g/s 886030p/s 886030c/s 886030C/s 123456..bob123
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
The key line is
butterfly (tero.zip/secretFiles/SECRET.md)
The password is "butterfly"! Now that we know the password, let's just extract the ZIP
$ unzip tero.zip
Archive: tero.zip
[tero.zip] secretFiles/SECRET.md password: [type password here, it's not echoed]
inflating: secretFiles/SECRET.md
And enjoy your loot
$ cat secretFiles/SECRET.md
You've found [REDACTED]
[1] https://TeroKarvinen.com/2023/crack-file-password-with-john/
So many files to crack, from iTunes to Telegram
John the Ripper Jumbo can crack a lot of formats. I did not test each, but here they are:
1password 7z DPAPImk adxcsouf aem aix aix andotp androidbackup androidfde ansible apex apop applenotes aruba atmail axcrypt bestcrypt bestcryptve bitcoin bitlocker bitshares bitwarden bks blockchain cardano ccache cisco cracf dashlane deepsound diskcryptor dmg dmg ecryptfs ejabberd electrum encdatavault encfs enpass ethereum filezilla geli gpg hccap hccapx htdigest ibmiscanner ikescan itunes_backup iwork kdcdump keepass keychain keyring keystore kirbi known_hosts krb kwallet lastpass ldif libreoffice lion lion lotus luks mac mac mcafee_epo monero money mongodb mosquitto mozilla multibit neo network office openbsd_softraid openssl padlock pcap pdf pem pfx pgpdisk pgpsda pgpwde prosody ps_token pse putty pwsafe racf radius radius rar restic sap sense signal sipdump ssh sspr staroffice strip telegram test_tezos tezos truecrypt uaf vdi vmx wpapcap zed zip
You can try some of them. The hash extractors are in "run/", e.g.
$ $HOME/john/run/1password2john.py
Usage: /home/vagrant/john/run/1password2john.py <1Password Agile Keychain(s) / Cloud Keychain(s)> / OnePassword.sqlite
Some extractors look for 'python' when they mean 'python3'. If you get an error, you can create a symlink
$ $HOME/john/run/office2john.py
/usr/bin/env: 'python': No such file or directory
$ sudo ln -s /usr/bin/python3 /usr/local/bin/python
$ $HOME/john/run/office2john.py
Usage: /home/vagrant/john/run/office2john.py <encrypted Office file(s)>
What next?
Create some encrypted files and crack them.
Always use good passwords. Never use bad passwords. Dictionary attack used here would not work for a random password. You can generate those with 'pwgen -s 20 1': "ziGtyrObMgvlxt52U0wz".
Use a password manager.
Only use your new powers for good. Happy hacking!